Cases
Philip Bolo Vs Platinum Credit Limited
Case Summary.
The Complainant lodged a complaint on 22 October 2024 alleging that the Respondent contacted him via texts messages and calls from the Respondents employees promoting its loan products without his consent. Despite the Complainant sending emails requesting the Respondent to stop, the same continued. The complainant had also made requests to the Respondent to delete his number from their database. The respondent stated that the Complainant has never been their customer and thus they do not have his data in their database. Additionally, they contended that upon investigations, the phone numbers used to call the Complainant were not its agents and were not related to the respondent. Upon investigation, an email admission by the general manager of the Respondent that the complainant was contacted by its agent was discovered. The email contained an apology to the Complainant and disclosed that the general manager had been terminated.
Issues of determination
1.Whether the Respondent fulfilled its obligations under the Act;
2.Whether there was violation of the Complainants rights under the Act; and
3.Whether the complainant is entitled to any remedies under the Act and the attendant Regulations.
Determination
The Respondent is a data controller and should ensure that processing of personal data is under lawful basis and obtain consent before commercial use of personal data. Since the Respondent could not prove the complainant’s consent and any opt out mechanism, they failed to fulfil their obligations under the Act.The Complainant's right to object processing of their data and their right to erasure was also violated by the Respondent who through its agents continued to send unsolicited promotional messages to the Complainant. As a consequence the respondent was ordered to pay KES. 900,000/= to the complainant and an enforcement Notice was issued against the Respondent.
Analysis
The case highlights the need to obtain express consent from a data subject before commercial use of their data. For data processors and controllers to avoid violation of the data subjects rights to erasure and right to object, as per Section 26 and 40 of the Act, they should establish proper opt out mechanisms and ensure processing is lawful as per Section 30 of the Act.