Cases Detail

Cases

Ben Mamicha vs. Bridge Oxford International

Country: Kenya
Court: ODPC
Status: Determination
Tags: Direct Marketing,data protection,privacy breaches,consent,direct marketing,unlawful collection

Case Summary

The Complainant, Ben Mamicha, lodged a complaint against Bridge Oxford International (the Respondent) alleging the unlawful collection and processing of his personal data. The Complainant stated that the Respondent accessed his personal contact and professional details from a third party without his consent. Subsequently, the Respondent used this unlawfully obtained data to send him unsolicited emails for commercial purposes. The Complainant highlighted that he had not provided consent for his data to be collected or used in this manner, nor was he informed of the particulars required by Section 29 of the Data Protection Act (DPA), 2019, regarding data collection. The Respondent, Bridge Oxford International, did not file a response to the complaint, leading the Data Commissioner to proceed with the determination based on the evidence provided by the Complainant.

Issues for Determination

The Office of the Data Protection Commissioner identified the following issues for determination:

  1. Whether the Respondent unlawfully collected the Complainant's personal data without consent.
  2. Whether the Respondent failed in its duty to notify the Complainant of the particulars of data collection as required by the Act.
  3. Whether the Respondent used the Complainant's personal data for commercial purposes without his consent.
  4. Whether the Respondent violated the Complainant's rights as a data subject under the Data Protection Act, 2019.

Determination

The Office of the Data Protection Commissioner made the following final determination:

  • The Respondent, Bridge Oxford International, is hereby found liable for violating the rights of the data subject as provided for in the Act.
  • An Enforcement Notice is hereby to be issued to the Respondent.

Analysis

The ODPC's analysis underscored several key violations by the Respondent, primarily due to their failure to respond to the complaint, which meant the Complainant's assertions stood uncontroverted.

Firstly, the Commissioner found that the Respondent collected the Complainant's personal contact and professional details from a third party without the Complainant's consent, which is a direct contravention of Section 28(1) of the Data Protection Act, 2019, requiring data controllers or processors to collect personal data directly from the data subject.

Secondly, the Respondent neglected its duty to notify the Complainant. The ODPC highlighted that the Respondent failed to inform the Complainant of the particulars required under Section 29 of the Act, which outlines the information that must be provided to a data subject when collecting their personal data (e.g., identity of the data controller, purpose of processing, categories of data collected, etc.). This omission further compounded the unlawful collection.

Finally, the analysis concluded that the Respondent used the Complainant's personal data for commercial purposes (sending unsolicited emails) without his consent, which is a violation of Regulation 15(4) of the Data Protection (General) Regulations, 2021. This regulation specifically prohibits the use of personal data for direct marketing without explicit consent, and moreover, imposes criminal liability for such an action.

In light of these multiple violations and the Respondent's failure to provide any defense or explanation, the ODPC determined that the Respondent had indeed infringed upon the Complainant's data protection rights, leading to the issuance of an enforcement notice.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.