Gloria Adisa Diffu vs Safaricom PLC/ODPC

Cases Detail

Cases

Gloria Adisa Diffu vs Safaricom PLC/ODPC

Country: kenya
Court:
Status: Determination
Tags: data protection,privacy,breach

Attachments:

Complaint No 856 of 2022 -  link  

The case involved a complaint filed by Gloria Adisa Diffu, the Complainant, against Safaricom PLC, the Respondent, regarding the omission of a day's transaction in her M-PESA statement. She alleged that this omission affected a legal matter in the Small Claims Court, leading to the loss of her case. The Data Protection Commissioner investigated the complaint and found that Safaricom rectified the incomplete data by providing the missing transactions to the Complainant. Despite her claims of foul play and conspiracy, the Commissioner determined that Safaricom fulfilled its duty to rectify the data without undue delay. The Commissioner dismissed the complaint, stating that the Complainant could appeal the determination if she desired.

Issues for Determination

1.    Whether the ODPC had jurisdiction to determine the issues raised in the Complaint.

2.    Whether there was a breach of the Data Protection Act.

3.    Whether the Complainant was entitled to any remedy under the Act.

Determination:

1.    Infringement of Data Subject's Rights

The Commissioner analysed whether there was any infringement of the Complainant's rights as a data subject under the Data Protection Act, 2019, and determined that the Respondent fulfilled the duty to rectify incomplete or misleading personal data in its custody. Hence, there was no undue delay in processing and rectifying the data requested by the Complainant, and the data subject’s rights were not infringed. 

2.    Validity of Evidence 

The Commissioner noted that the Complainant had filed the rectified M-PESA statement as evidence in court. However, the Commissioner found that the case was not dismissed due to the omitted transactions but rather involved elements of an oral contract and the performance of obligations arising from it. The Commissioner also mentioned that the Complainant's attempt to introduce the rectified statement as evidence after a ruling had already been made led to it being expunged from the record.

3.    Entitlement to Remedy

Based on the findings, the Commissioner determined that the Complainant was not entitled to any remedy under the Data Protection Act as the Respondent had rectified the incomplete personal data by providing the missing statements requested by the Complainant. The Commissioner advised the Complainant to make a fresh request for retrieval of her M-PESA statements through the channels provided by the Respondent.

4.    Determination 

In light of the above, the Data Commissioner dismissed the complaint, stating that the Respondent had fulfilled its duty to rectify the incomplete personal data by providing the missing statements requested by the Complainant. As a result, the Data Commissioner found that the Complainant was not entitled to any remedy under the Data Protection Act. The Commissioner also mentioned that the Complainant had the right to appeal this determination if she wished to do so.

Analysis

Rectification of Incomplete or Misleading Personal Data

Article 31 of the Constitution of Kenya recognised the right to privacy, and the Data Protection Act was enacted to guarantee this right. The Data Protection Act, 2019 provided rights to data subjects, including the right to rectification and erasure of personal data (Section 40(1)(a)). Hence, data controllers and processors were obligated under the Act to rectify incomplete or misleading personal data in their custody. 

Jurisdiction of the ODPC

The Office of the Data Protection Commissioner (ODPC) was authorised under Section 8(f) of the DPA to accept and look into any complaints from individuals regarding violations of their rights under the DPA. In addition, Section 56(1) of the DPA provided that a data subject could file a complaint with the Data Commissioner in line with the DPA if they felt wronged by a decision made by anyone under the DPA. In light of this, the Complainant, Gloria Adisa Diffu, correctly brought this complaint to the proper forum, since she felt that her rights had been violated under the Data Protection Act. 

Breach of the DPA

The Office of the Data Protection Commissioner correctly dispensed its duty under the Act, since upon investigation, it found that the Respondent had fulfilled the Complainant’s request for data rectification. Thereby, the ODPC concluded that none of the Complainant’s rights were breached under the Data Protection Act. This decision underscores the importance of ensuring that data controllers and processors promptly address requests for data deletion and rectification by data subjects, to avoid any potential breaches of the DPA.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.