Tom Ruto and Edwin Taragon v Premier Credit Limited

Cases Detail

Cases

Tom Ruto and Edwin Taragon v Premier Credit Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,duty to notify,consent,direct marketing

Case Summary

The Complainant raised concerns about receiving unsolicited promotional messages from the Respondent, particularly about loan offers, despite never sharing their contact information with them. The first Complainant specifically mentioned getting persistent loan-related messages, while the second Complainant reported their number being used for marketing without consent.

The Respondent refuted these claims, stating they only gather personal data directly from individuals who engage with their services voluntarily, either in person or through completing loan application forms.

Upon investigation, the Office of the Data Protection Commissioner (ODPC) discovered that the mobile numbers in question that sent the messages to the Complainants were linked to an independent sales agent of the Respondent. It was also found that the second Complainant was actually a customer with an active loan, contradicting their claim of unsolicited contact.

Issues for determination

  1. Whether prior consent was sought and obtained from the Complainants before collecting their personal data and using it to send promotional messages to them
  2. Whether the Respondent provided an opt out mechanism to the Complainants to its promotional messages
  3. Whether there was any infringement of the Complainant's Rights as data subjects provided for on the Data Protection Act 

Determination

The Respondent is found liable for not obtaining prior consent as per Section 37 of the Data Protection Act.

Analysis

  1. Obtaining Prior Consent

The Data Protection Act, particularly Section 37, explicitly requires that personal data must not be processed without clear, informed, and freely given consent. This consent must encompass the specific purposes for which the data is collected and used. In this case, Premier Credit Limited was unable to demonstrate that they had obtained such consent from the complainants before using their personal data for marketing purposes.

The claim by the Respondent that they only collect data directly from individuals when they engage voluntarily contradicts the complainants' assertion that they never provided their personal data for marketing purposes. This discrepancy highlighted a potential breach in obtaining necessary consents and underscored the lack of transparency in the Respondent’s data handling practices.

  1. Duty to Notify and Provide an Opt-Out Mechanism

According to Section 29 of the Data Protection Act, data controllers are required to notify data subjects about the specifics of data processing at the time of data collection. The Respondent’s failure to provide an opt-out mechanism in their promotional messages further infringes on the complainants' rights under the Act, specifically contravening Regulation 15(1)(d) of the Data Protection (General) Regulations, 2021, which mandates that data subjects must be given an easy method to refuse the use of their data for marketing.

The lack of an evident and accessible opt-out option in promotional communications not only violates the regulatory framework but also undermines the trust between the data subject and controller, which is fundamental to the ethical use of personal data.

Infringement of Data Subjects' Rights:

The ODPC’s finding of multiple violations of the Act by the Respondent reflects a broader issue of non-compliance with data protection standards. The Respondent's practices did not align with the principles of lawful, fair, and transparent processing.

Particularly troubling is the Respondent's failure to adequately address how the first complainant's contact information was acquired and used without consent. This situation raises concerns about the integrity of the Respondent's data management processes and their adherence to legal standards.

The ODPC's determination in this case underscores the importance of upholding stringent data protection standards to protect individuals from unauthorized use of their personal data. The decision rightly highlights the necessity for data controllers to establish clear, transparent, and compliant mechanisms for data collection and processing.

However, the case also exposes potential gaps in enforcement and the need for more rigorous oversight of data handling practices, particularly in the digital lending space where personal data is extensively used. The ODPC's active role in investigating such breaches is crucial, but there is also a need for greater proactive measures to ensure compliance before breaches occur.

This case serves as a critical reminder of the legal and ethical obligations of data controllers under the Data Protection Act, 2019. It emphasises the need for businesses to foster practices that not only comply with the law but also respect the personal autonomy and rights of individuals regarding their personal data.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.