Cases
Yasin Abukar Vs Wananchi Group Kenya Limited T/A Zuku Fibre Kenya
Case Summary.
The complainant filed a complaint to the ODPC on 15 November 2024 against the Respondent alleging the respondent’s failure to delete his personal data despite repeated requests to do so, a contravention to Section 40 of the Act. The Complainant had ceased being the Respondent’s clients but the respondent continued to send promotional messages to him despite multiple verbal, phone and email requests. The complainant tried issuing a formal request via an email address in the Respondent’s website which was undelivered. The complainant only received a “Service Auto suspension Notification” from the Respondent on 18 November 2024 after this complaint was already lodged. The Respondent contented that they had not received any formal request for deletion from the complaint and that the email address in the website was accurate and monitored. The Respondents' employees and agents were also uncooperative and despite the ODPC having a court warrant to search the respondent premises, digital and manual records and systems, such access was denied. The ODPC also attempted to conduct the Respondent via the email address in their Data Protection policy but the same was unsuccessful.
Issues for Determination
i. Whether there was an infringement of the Complainant’s rights under the Act and its attendant regulation; and
ii. Whether the Complainant is entitled to any remedies under the Act and the attendant regulations.
Determination
The Respondent violated the Complainant’s right to object to the processing of their personal data and the right to deletion of their personal data as provided by Section 36 and 40 of the Act. They denied the complainant the avenue to exercise his rights as their email address was ineffective. The Complainant is thus entitled to damages of KES. 500,000/=. The ODPC also recommended the prosecution of the Respondent’s directors for obstructing the Data commissioner.
Analysis
The case emphasizes on the right to object under Section 36 of the Act and erasure of personal data on request by a data subject as per Section 40 of the Act. The respondent in this case failed to have mechanisms to receive and effect erasure and objection requests from data subjects by providing ineffective email addresses in its website. Data Controllers and processors are required to cooperate with the Data Commissioner during investigation to avoid contravention of Section 61 of the Act. To ensure compliance with Section 26, 40 and 36 of the Act of objection and erasure rights, data controllers and Processors should ensure mechanisms to handle complaints.