Maina Kimaru vs. Premier Credit Limited

Cases Detail

Cases

Maina Kimaru vs. Premier Credit Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: : data protection,privacy breaches,Informed Consent,Direct Marketing,Opt-out mechanisms

Case Summary

Maina Kimaru lodged a complaint against Premier Credit Limited, alleging that he had been receiving persistent calls and promotional messages from the company promoting their loan products. He further stated that he had continuously communicated his disinterest in the advertised products, yet the respondent failed to honour his wishes. In his complaint, Mr Kimaru attached screenshots of the messages he had been receiving from the respondent, although he did not provide any proof of calls made by the respondent.  

The Office of the Data Protection Commissioner, after receiving the complaint, filed a Notification of Complaint against Premier Credit Limited, requiring the respondent to respond to the allegations, attach evidence of the response, provide the mitigation measures it had taken to address the complaint, and the legal basis on which it had collected and processed the complainant’s data. 

Premier Credit Limited, a microfinance company, responded by stating that; the complainant’s phone number did not exist in their database, and that the phone numbers used to contact Maina Kimaru belonged to independent sales agents who the company had contracted. Further, with letters of termination as proof, Premier Credit Limited stated that they had terminated one agent on the 1st of October, 2022, and the other two agents were subsequently terminated after investigations confirmed that they had breached their agreement with the company, and the company’s policy. Premier Credit Limited also said that they continuously train their agents, to ensure that they adhere to their data protection obligations, and that they do not market to parties who have not consented to the same, through the company’s opt-in mechanisms. Thus, taking into account the parties’ arguments and the ODPC’s own investigations, the office considered the issues below. 

Issues for Determination

  1. Whether Premier Credit Limited provided an opt-out mechanism for promotional messages; 
  2. Whether Maina Kimaru's rights under the Act were infringed due to the unrelenting calls and messages;
  3. Whether Premier Credit Limited had obligations to fulfil under the Data Protection Act, 2019; 
  4. Whether the independent sales agents breached their agreements with Premier Credit Limited; 
  5. Whether Maina Kimaru is entitled to remedies under the Data Protection Act, 2019 and its accompanying regulations.

Determination

On whether Premier Credit Limited provided an opt-out mechanism for promotional messages

On the first issue, the ODPC found that the respondent did not provide a proper opt-out mechanism to the promotional messages, which is in violation of the Data Protection (General) Regulations, 2021. This is because, as per the screenshots of the promotional messages, there was no opt out mechanism available to Mr Kimaru. The respondent’s evidence did not prove anything to the contrary of this, confirming that it did not provide proper opt out mechanisms for the recipients of the messages. 

On whether Maina Kimaru's rights under the Act were infringed due to the unrelenting calls and messages

On the second issue, the ODPC found that the complainant’s rights were violated under the Data Protection Act. Particularly, the respondent violated the right of a data subject to be informed of how his data was to be used when it was collected, as they did not inform him that it would be used for direct marketing, which is provided for in Section 26 (a) of the act. Furthermore, the respondent violated the right of the data subject to object to data processing under Section 26 (c), since his continued messages to stop the direct marketing messages did not bear fruit, and he continued receiving the messages. 

On whether Premier Credit Limited had obligations to fulfil under the Data Protection Act, 2019

The ODPC found that the Respondent owed the complainant various obligations under the Act, because the company fits the definition of a data controller within the Act. These obligations include processing data as per the principles set out in Section 25 of the act, to ensure that the data subject’s information is processed with respect to the right to privacy, lawfully, fairly and transparently, for explicit, specific and legitimate use, and not further processed after the use had been completed, and collected only when the controller or processor provides a valid explanation where they require data relating to private affairs. 

The respondent also had obligations towards the complainant as per section 28 of the Act, on the process of collecting personal data. The law in this section states that the respondent should collect data directly from the data subject, and only collect it indirectly where the data is in public records, the data subject has publicised the data, the data subject has consented to collection of the data from another source, among other situations. The respondent failed to show whether any of these conditions were relevant, to justify the indirect collection of the data. 

The respondent also owed the complainant an obligation under section 29 of the act, to notify him of his rights in this context, of the fact that his data was collected and for what purpose, any third parties who would have access to the data and necessary safeguarding measures taken, and a the technical and organisational security measures taken to protect the confidentiality of the data. 

There was also a duty owed by the respondent under Section 30 to process personal data only with the data subject’s consent, which the respondent failed to provide proof of. Under section 32, the law places the burden of proof to establish consent of the data subject on the respondent, as a data controller, which the respondent in this case failed to demonstrate. Consent is also required for data controllers to conduct direct marketing, under Section 37 of the Act, yet the data controller failed to obtain it.

Finally, the data controller had obligations arising from its dealings with data processors, who are the independent agents in this case. Sections 42 (2), (3) and (4) of the Act provide that where the data controller is dealing with a data processor, they must work with data processors who provide enough guarantees of processing data according to the principles of data protection by design or default (Section 41), and they must enter into written agreements with these processors, providing that the data processors are bound by the data controllers’ obligations. Data processors who fail to act as instructed by the controllers are considered to be data controllers themselves. In this case, the data controller failed to demonstrate that they had entered into data processing agreements with the independent sales agents who were acting on the controller’s behalf, hence the respondent failed to fulfil their obligations under the Act. 

On whether the independent sales agents breached their agreements with Premier Credit Limited

On this issue, the ODPC found that the respondent’s independent sales agents did not breach their agreement with the respondent, leaving Premier Credit Limited liable for all rights breaches against the complainant. In this case, the independent sales agents were data processors, acting on behalf of the respondent, who is the data controller. In response to the complaint, the respondent claimed that it had terminated its sales agreements with the independent agents, for breach of their agreement terms stating that “you are obligated to ensure that you do not market the Company’s products…to any individual you have not met physically”. However, the ODPC could not find this clause in the sales agreements, hence the sales agents did not breach their agreement with the Company. 

Liability applies to data processors where they fail to comply with their obligations under the Act, and where they act contrary to data controllers’ lawful instructions when processing data. On the other hand, data controllers involved in data processing are liable for any damage incurred during the processing. Hence, seeing as the respondents did not provide any evidence to limits placed on the processing of data, the sales agents were granted broad rights to market the Company’s products, hence they did not operate outside the data controller’s lawful instructions. 

On whether Maina Kimaru is entitled to remedies under the Data Protection Act, 2019 and its accompanying regulations

The ODPC found that the complainant is entitled to remedy under the data protection law, since it found that the complainant’s rights were infringed upon, against the Data Protection Act and its accompanying regulations. Further, the complainant is entitled to financial remedy, since the Act states that data subjects whose rights have been infringed upon are entitled to compensation for the damage, which could include financial loss or non-financial loss such as distress. In this case, as per Regulation 14 (3) (e), the data commissioner made an order for compensation by the respondent to the data subject. 

Analysis

In this case, the complainant alleged that the respondent sent him incessant promotional messages and calls, aimed at promoting the Respondent's loan products. He further stated that despite expressing his disinterest in the advertised products, the respondent did not relent. The Respondent's obligations as a data controller under the Act, the breach of the Complainant's right to object to the processing of personal data, and the failure to obtain consent for sending promotional messages. The Data Commissioner found the Respondent liable for these violations, leading to the issuance of an Enforcement Notice and an award of compensation to Kimaru. The case highlights the importance of data protection regulations in safeguarding individuals' privacy rights and holding organisations accountable for non-compliance with data protection laws.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.