Cases Detail

Cases

Marlene Ngira Matunga Vs Whitepath Company Limited

Country: Kenya
Court:
Status: Determination
Tags: data protection,,data subject rights

Case Summary.

The complainant filed a complaint on 14 November 2024 against the Respondent for unlawful processing of her personal data.The Respondent repeatedly called and texted her using different phone number regarding her colleague who the Respondent alleged was one of its clients.The Respondent alleged the colleague had taken an online loan and provided the Complainant’s details as the guarantor, meaning that they would be responsible to pay if the Colleague defaulted. The Respondent disclosed that the colleague had defaulted in the payment of the loan and demanded that the Complainant should call the Colleague and urge them to settle the loan.The Complainant was not privy to the loan and no consent was sought before she was listed as a guarantor. The Respondent did not file a response to the complaint.

Issues of determination

  1. Whether there was a violation of the Complainants rights under the Act;
  2. Whether the Respondent fulfilled its obligations under the Act; and
  3. Whether the Complainant is entitled to the remedies under the Act and its attendant Regulations.

Determination

The Respondent violated the Complainants right to be informed about the purpose for which their personal data was collected and processed.The Respondent being a data controller failed in its duty to inform the Complainant about her rights under the Act and the intention to use her personal data for third party debt recovery allowing her to consent or deny such consent. The Respondent did not prove obtaining consent from the Complainant for the processing of their personal data, nor fulfill any lawful basis of processing, and did not that fulfil its obligations under the Act.The Complainant requested for compensation for breach of her privacy and the emotional and psychological harm, and the Office Ordered the Respondent to compensate her KES. 450,000/=. An enforcement notice was also issued against the Respondent to ensure compliance with the Act.

Analysis

This case highlights the need to ensure processing of personal data is as per section 30 of the Act by obtaining data subject consent prior to processing of personal  data or relying on other lawful basis. It is a wake up call for digital lenders to ensure compliance to the Act by ensuring that data is collected and used in adherence to the Act. The Respondent should have put in place mechanisms to ensure that the consent of the guarantor is obtained before processing their personal data.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.