Complaints
Lucy Kinyanjui vs Easy Coach Limited/ODPC
On April 11th 2023, Lucy Kinyanju the Complainant, lodged a complaint with the Office of the Data Protection Commissioner claiming that Easy Coach Limited, the Respondent, had shared her personal details without her consent, leading to harassment by a third party who accused her of stealing his luggage. Easy Coach Limited collects and processes personal data of passengers for travel services and stores the information on their servers.
The Respondent argued that they collect and process personal data of passengers for the purpose of providing travel services. They stated that the Complainant's information was collected during the booking process, including details like name, address, phone number, ID document, date of birth, email address, and payment information. The Respondent emphasised that all collected information is stored securely on their servers. They also mentioned that they prepare passenger manifests for verification and financial management, with access limited to specific purposes such as legal and financial compliance. The Respondent further highlighted that they have put in place mitigation measures to address the issues raised in the complaint, including privacy policies, complaints handling procedures, staff training, and redacting passenger details on manifests to limit access. The Respondent stated further that they prepare passengers' manifests for verification and financial management, with access limited to specific purposes.
Issues for determination
The issues for determination in this case were:-,
- Whether the Respondent fulfilled its duty to notify the Complainant of the use of her contact details as per Section 29 of the Data Protection Act.
- Whether there was any infringement of the Complainant’s rights as a data subject as provided for in the Data Protection Act.
- Whether the Complainant is entitled to any remedies under the Data Protection Act .
Determination
The Office of the Data Protection Commissioner made the following determinations based on their analysis of the complaint, responses from the Respondent, and their investigations:
- The Respondent demonstrated compliance with collecting, storing, and processing personal data in accordance with the Data Protection Act.
- The Respondent fulfilled the duty to notify data subjects as required by the Act.
- The Data Commissioner directed the Respondent to provide proof of staff training within seven days of receiving the determination.
- In case of non-compliance with the training requirement, an Enforcement Notice would be issued.
Additionally, the Office of the Data Protection Commissioner noted that the Respondent had implemented organisational steps and safeguards to prevent unauthorised sharing of passenger data without consent, as requested by the Complainant.