Kennedy Owuor v Aventus Group

Cases Detail

Cases

Kennedy Owuor v Aventus Group

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: right to privacy,prior consent

Case Summary 

Kennedy Owuor (hereinafter ‘the Complainant’) alleged that an agent to Aventus Group (hereinafter ‘the Respondent’) engaged his phone with persistent incoming calls in the name of ‘Lendplus’ a FinTech company launched by the Respondent which offers loan services online. As a result, the Complainant had to switch off his device. The Complainant’s trial to make the agent understand his status in the matter as a third party and not direct client further led to the Complainant being verbally abused. 

To this, the Respondent stated that the Complainant’s status as an alternative contact to their direct client prompted them to contact them. Expounding on this, the Respondent stated that the procedure to obtain the Complainant’s number is a measure to reach out to the primary client when unreachable and that all calls made by the agents are recorded of which no record reflects the complaint in question.

Further to this, it was found by the ODPC that the Respondent is required to directly contact the data subject for prior consent with respect to the data being collected of which no evidence was tendered.

Issues for determination

  1. Whether the Respondent fulfilled its duty to notify the Complainant of the use of their contact details as per Section 29 of the Act.
  2. Whether the Respondent infringed the Complainant’s right to privacy
  3. Whether the Complainant is entitled to the remedies sought for the alleged breach

Determination

The Respondent was held liable for not having directly collected personal data from the Complainant under Section 28 of the Data Protection Act (hereinafter ‘the Act’) as well as failure to duly inform and obtain prior consent from the Complainant under Section 29 of the Act. In addition to this, the ODPC found that the Respondents were infringing the rights of the Complainant as illustrated in Section 26 of the Act. They however were not granted the prayer for compensation due to their inability to demonstrate loss of any form accrued. 

Analysis

  1. Whether the Respondent fulfilled its duty to notify the Complainant of the use of their contact details as per Section 29 of the Act

The Respondent’s duty to inform the Complainant of the use of their personal data was not duly executed as they did not obtain prior consent from the Complainant and further failed to demonstrate that if not, such a procedure was in fact carried out or falls under any of the exemptions stipulated in Section 28(2) of the Act. The lack of surety in contacting the Complainant despite the degree to which a representative from the Respondent’s office contacted them further shows the lack of credibility in the Respondent’s doubts as to having obtained prior consent.

  1. Whether the Respondent infringed the Complainant’s right to privacy

Having obtained the Complainant’s contact without prior authority as to their data collection  or the purpose behind it is demonstrative of the violation to be informed of the data that is in custody of the data processor, how it is being used, whether in fact it can be processed or it is guided by misleading data. Therefore, the Respondent was charged.

III. Whether the Complainant is entitled to the remedies sought for the alleged breach

As loss in (non) financial ways were not sufficiently demonstrated by the Complainant, their prayer for compensation was denied highlighting the importance of providing great backing to the claimed loss one bears as did the Complainant.

 

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.