John Kabiru vs Safaricom PLC

Cases Detail

Cases

John Kabiru vs Safaricom PLC

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: right to privacy,, data protection,third-party data sharing,right to rectification and erasure

Case Summary

A complaint was filed by John Kabiru against Safaricom PLC (the Respondent), alleging that his personal mobile phone number had been shared without consent with Guaranty Trust Bank (Kenya) Limited’s customers (the Interested Party). These customers, making payments to Mount Kenya University via M-Pesa paybill, were occasionally advised to contact the Complainant for transaction reversals, despite him having left employment with the Interested Party in 2018.

The Complainant claimed that this unauthorized sharing of his personal data had caused numerous inconveniences, including receiving unsolicited calls and messages from students seeking transaction reversals, sometimes leading to verbal abuse. He further alleged that the issue had persisted since 2018, intensifying during school fee payment periods. The Complainant stated that despite informing the Respondent multiple times, his number remained associated with the paybill account. He sought compensation for the distress and disruptions caused.

The Office of the Data Protection Commissioner (ODPC) enjoined Guaranty Trust Bank (Kenya) Limited as an Interested Party and requested responses from both the Respondent and the Interested Party. The Respondent argued that the responsibility for updating paybill administrators lay with the Interested Party, and it had not received any formal notification to remove the Complainant’s contact information. The Interested Party confirmed that the Complainant was a former employee and had initially consented to the use of his data but had since been removed from its internal systems. However, upon learning of the complaint, the Interested Party promptly requested the Respondent to delete the Complainant’s details from its records.

Issues for Determination 

  1. Whether there was a violation of the Complainant’s privacy rights under the Act.
  2. Whether the Complainant is entitled to any remedies under the Act and attendant Regulations.

Determination

The ODPC found that the Complainant, as a data subject, had the right to request the deletion of his personal data. However, according to the terms of the paybill agreement, the responsibility for updating or removing paybill administrators lay with the Interested Party. The ODPC noted that no evidence was provided by the Complainant or the Interested Party proving that the Interested Party had requested the Respondent to remove the Complainant’s details prior to the complaint.

Additionally, the Complainant did not demonstrate that he had exercised his right to rectification and erasure by formally requesting the Interested Party to update the records before approaching the Respondent. The Interested Party took swift remedial action once the issue was raised by the ODPC, ensuring the deletion of the Complainant’s contact details.

Consequently, the ODPC determined that there was no violation of the Complainant’s rights under the Data Protection Act, as he had not made a formal request to the responsible party. Since the Interested Party had acted promptly to rectify the issue, the Complainant was not entitled to any remedies under the Act.

Analysis

This case underscores the importance of proper data management and compliance with data protection laws, particularly regarding the rectification and erasure of personal data. It highlights the need for clear communication between data controllers and data subjects to ensure that personal data is updated or deleted as required by law.

Furthermore, the case emphasizes that data subjects must follow the prescribed processes when requesting the deletion of personal data and that organizations must ensure they have adequate mechanisms to respond to such requests in a timely manner. While the Respondent was not found liable in this instance, the case serves as a reminder for data controllers to review their processes to prevent similar occurrences in the future.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.