Eric Migwi &Scholastica Onon vs- Whitepath Company Limited

Cases Detail

Cases

Eric Migwi &Scholastica Onon vs- Whitepath Company Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: unlawful data processing,privacy breaches,Consent

Case Summary

The case involves Eric Mwangi and Scholastica Onon, who filed complaints against Whitepath  Company Limited (the Respondent) with the Office of the Data Protection Commissioner in Kenya. The complaints revolve around the complainants allegedly receiving constant messages from the Respondent demanding payment as guarantors of loans they claim to know nothing about. In response to the complaints, the Respondent stated that the second complainant, Scholastica Onon, was listed as an emergency contact by a loan applicant named Anthony Mbatha, who applied for a loan from the Respondent. The Respondent claimed that Scholastica Onon was notified of this nomination as an emergency contact and did not opt out, thereby consenting. Upon receiving the Respondent's response, investigations were conducted as required by Regulation 13(1) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021. The Data Protection Commissioner decided based on the findings of the investigations, as outlined in Regulation 14 of the same regulations.

Issues for  Determination 

  1. Whether the Respondent obtained valid consent from the complainant to process their personal data. 
  2. Whether the complainant's personal information was handled per the law. 
  3. Whether the complainant's personal information was lawfully processed. 

Determination 

Whitepath Company Limited was found liable for unlawfully processing the personal data of complainants Eric Mwangi and Scholastica Onon. The Commissioner determined that the Respondent failed to provide evidence demonstrating that the complainants had consented to the processing of their personal data, leading to the conclusion of unlawful data processing. An enforcement notice was issued to the Respondent, outlining corrective actions to address the non-compliance with data protection regulations. Additionally, all parties were informed of their right to appeal the decision to the High Court of Kenya, allowing for further legal review if desired.

 Analysis 

In this case, the key issues and analysis revolved around consent to data processing, communication of personal information, compliance with regulations, and liability.

●       Consent to Data Processing: The primary issue was whether the Respondent obtained valid consent from the complainants to process their personal data. The Respondent had the burden of proof to establish consent. However, investigations revealed a lack of evidence supporting the Respondent's consent claim, leading to the determination that the Respondent processed the data unlawfully. Section 28 of the Data Protection Act on collecting personal data provides for circumstances where personal data may be indirectly collected, including where the data subject has consented to the collection from another source. Such consent was not given in this case; as such, the collection of the complainant’s personal information was unlawful. 

●       Communication of Personal Information: Another key issue was the Respondent's communication and handling of personal information. The complaints alleged that the Respondent demanded payment from the complainants as guarantors of loans they were unaware of. The Respondent's response regarding the second complainant being listed as an emergency contact without explicit consent raised concerns about transparency and proper handling of personal information. This links to section 29(b) of the Data Protection Act, which requires the data controller or processor to notify the data subject that their data is being collected.  

●       Compliance with Regulations : The case also focused on whether the Respondent complied with the Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021. The Respondent's response to the complaints, provision of requested information, and adherence to data protection policies were assessed to determine compliance with regulations. This analysis was essential in evaluating the Respondent's adherence to legal requirements.

●       Liability and Enforcement: The final determination addressed the liability of the Respondent for unlawfully processing personal data. The issuance of an enforcement notice highlighted the need for corrective actions to rectify non-compliance with data protection regulations. Enforcement notices are prescribed under section 58, the purpose of which is to require the offender to take measures to remedy the breach in data or non-compliance within a specified period of time.  Additionally, the burden of proof of establishing a data subject's consent lies with the data controller and processor per section 32(1). 

This case holds significant implications for data protection and especially regulatory compliance. Addressing issues such as consent to data processing, communication of personal information, compliance with data protection regulations, and liability for unlawful data processing underscores the importance of upholding individuals' privacy rights and ensuring the lawful handling of personal data. The case serves as a reminder of the legal obligations and responsibilities associated with processing personal data, emphasising the need for organisations to raise awareness about data protection laws and regulations. It highlights the crucial role of regulatory authorities, like the Data Protection Commissioner, in enforcing regulations and holding organisations accountable for non-compliance. Moreover, the provision of legal remedies, such as enforcement notices and the right to appeal to the High Court of Kenya, underscores the availability of mechanisms for addressing data privacy violations and maintaining trust with data subjects. Overall, this case exemplifies the significance of respecting privacy rights, ensuring regulatory compliance, and providing avenues for redress in cases of data protection breaches.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.