Joy Matheka vs AMREF Staff Savings and Credit Society Limited & Gleannmore Limited

Cases Detail

Cases

Joy Matheka vs AMREF Staff Savings and Credit Society Limited & Gleannmore Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: right to privacy,data processing,consent,data subjects’ rights

Case Summary

This complaint arose after Joy Matheka (the Complainant) filed a complaint at the ODPC about AMREF Staff Savings and Credit Society Limited (1st Respondent) and the continuous calls originating from their agents regarding a loan wherein she was named as a guarantor without her consent, and knowledge. In response, the 1st Respondent argued that they outsourced collection to Gleannmore Limited (2nd Respondent). In their part, the 2nd Respondent averred that while they cannot deny making the calls, they were firm in their contestation of the reason as to why the calls were made. They claimed that they only made the calls to the Complainant to seek the whereabouts of the debtor. And that the Complainant was receptive and cooperative after the first phone call, saying that she offered to revert back to the officer with information about the whereabouts of the debtor. 

Issues for Determination

  1. Whether there was a violation of Complainant's rights, including to be informed of data being used, under the Act;
  2. Whether the Respondents fulfilled their obligations under the Act; and
  3. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations.

Determination 

The 1st Respondent did not use the Complainants data, owing to the fact that it outsourced collection. Thus, it did not violate the Complainants right to, for instance, be informed of the use of their data, and also for the data to be collected directly from the subject. As for the 2nd Respondent, contrarily, there was deemed to be a violation of the above rights. 

The 1st and 2nd Respondent were data controllers and processors respectively, thus accruing obligations under the Data Protection Act. For instance, the Respondents had an obligation under Section 25 of the Act to adhere to the principles of data protection while processing the Complainant's personal data. An equally relevant obligation is that such controllers and processors respect the right to privacy and that data is collected for explicit, specified and legitimate purposes. This is prudently articulated in Section 25. Both Respondents had the obligation to discharge the burden of proof, that consent was duly obtained from the Complainant. The 1st Respondent was found to have discharged this burden by proving that they did not call, nor collect her data. Contrarily, the 2nd Respondent did not do the same. Their response was inadequate. 

In light of the foregoing, the Complainant was entitled to remedies. An enforcement notice was thus issued.

 Analysis

The case reveals two main issues: the potential violation of the complainant's rights and the respondents' fulfillment of their obligations under the Data Protection Act (DPA). The 1st Respondent adhered to the DPA by proving it neither collected nor processed the complainant's phone number, effectively distancing itself from allegations of misconduct. In contrast, the 2nd Respondent failed to clarify how it obtained the complainant's phone number, leading to an inappropriate invasion of privacy by contacting her without proper justification. This lack of transparency from the 2nd Respondent indicates a breach of the data protection principles outlined in Sections 25 and 28 of the DPA, as it failed to obtain explicit consent for processing the complainant's personal data. The 2nd Respondent's admissions suggest a systemic lack of data protection safeguards and the absence of a robust consent management process, calling into question the entity's overall compliance with data protection standards. Consequently, the 2nd Respondent's actions warranted an Enforcement Notice to stop further harassment and address its non-compliance with the DPA.

The case, as said, was of potential violations of the DPA by the 1st and 2nd Respondents, with a particular focus on the balance of responsibilities and liabilities between them. The 1st Respondent adhered to the DPA by demonstrating compliance with Sections 25 and 28, proving that it neither collected nor processed the complainant's phone number. This avoidance of blame illustrates the benefit of adhering to strict data protection principles and carefully managing outsourcing arrangements, as warranted by Section 41 of the DPA.

In contrast, the 2nd Respondent failed to establish how it obtained the complainant's personal phone number, violating Section 28, which mandates that personal data be collected directly from the data subject unless specific exemptions apply. Furthermore, its inability to demonstrate consent from the complainant as required under Section 32 and lack of clarity on its data processing practices signal a failure to comply with Sections 25(a) and (c). This lack of transparency and disregard for the principles of data protection points to systemic weaknesses in the 2nd Respondent's data handling protocols.

This case is interesting mostly for the fact that it is a compelling reminder of the importance of adhering to data protection obligations, especially when outsourcing data processing tasks. If data controllers fulfill their responsibilities, as the 1st Respondent did, they can effectively mitigate liability. Conversely, failing to implement appropriate measures, as seen with the 2nd Respondent, can lead to enforcement notices and significant reputational damage. The 2nd Respondent's case emphasizes the need for data controllers and processors to maintain a comprehensive approach to data privacy and protection, ensuring compliance with the DPA and safeguarding individuals' rights. 

Essentially, this case is one that shows that if controllers and processors do their part, they can avoid liability, regardless of what happens after they have done their part. 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.