Victory Owino vs Wananchi Group (K) Ltd

Cases Detail

Cases

Victory Owino vs Wananchi Group (K) Ltd

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: right to privacy,data protection,direct marketing,consent,right to erasure,unsolicited messages,privacy breach

Case Summary

This case arose out of the fact that Victory Owino (Complainant) took up the Wi-Fi services of Zuku Fibre provided by the Respondent, Wananchi Group (K) Ltd. In doing so, the Complainant alleges that upon her subscription to the services, she denied giving consent to receive promotional calls or messages. Further, she was not informed that her right to deny the foregoing was hinged on her having a router installed in her home. Essentially, that as long as she had possession of the router, the Respondent had the right to contact her for promotional reasons. Despite many requests via email to halt this, the Respondent continued without respecting the Complainants wish. In Response, Wananchi Group (K) Ltd made the case that the Complainant consented to the terms and conditions of the Respondent, and was aware that to affect an account closure, the equipment in her possession would have to be relinquished. Thus, the Respondent argued its case to have lawfully retained the Complainants data.  

Issues for Determination

  1. Whether there was a violation of Complainant's right to erasure and rectification under the Act;
  2. Whether the Respondent fulfilled its obligations under the Act to respect the right to erasure and rectification; and
  3. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations.

Determination

There was a violation to the Complainants rights under Section 40 of the Data Protection Act. Section 32(2) provides that the Respondent bears the burden of proof for establishing a data subject's consent to the processing of their personal data.This burden was not discharged.

The respondent failed to fulfill its obligations to process personal data in accordance with the right to privacy of the data subject. Also, the Respondent had the obligation to respect the complainant's right of erasure and not providing proof of a lawful basis for retaining the complainant's personal details. Equally, while it was true that the terms and conditions stated how the account would be terminated, requiring the relinquishing of the equipment, the terms and conditions also had a proviso. The same stated that an account would also be terminated if, after ninety days, it remains unpaid. Therefore, the idea that the terms and conditions allowed the Respondent to maintain the data in its possession was found to be baseless.

The complainant was entitled to remedies, including compensation amounting to quarter of a million Kenyan Shillings. 

 Analysis

The case underscores the importance of data controllers adhering to the Data Protection Act to safeguard data subjects' privacy rights. The complainant's experience with unsolicited calls and messages from the respondent highlights a breach of Sections 26 and 40 of the Act, which require explicit consent for data processing and handling of personal data according to privacy rights. The respondent's failure to respect the complainant's right to erasure and retention limitations (Sections 39 and 41) revealed inadequate data protection measures, including continuing to market services to the complainant despite her requests to cease. The case demonstrates that companies must establish clear opt-out options in their services and comply with consent requirements to avoid legal and financial consequences, as seen by the respondent's liability and the enforcement notice issued against them. This reinforces the significance of upholding data protection laws to maintain trust and integrity in data handling and processing practices. 

Equally, despite the apparent argument that the Complainant had consented, under the terms and conditions of the Respondent, there was still a breach owing to the overarching superiority of the direction under the Act. It also showed that the ODPC would be thorough in its determination, by finding within the terms and conditions of the Respondents, an impugning term (that if an account is unpaid for ninety days, it would be terminated) that broke the Respondents case. 

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.