Enforceement Notice

Notices Detail

Notices

Enforceement Notice

An enforcement notice is written documentation issued by the Data Commissioner upon satisfactory proof of breach of the provisions of the Data Protection Act. The Data Commissioner is mandated under the DPA to issue such a notice when the office receives a complaint of breach and failure to adhere to the provisions of the DPA (Section 58). The Commissioner is mandated to establish the validity of the complaint through an investigative process undertaken within a period of 90 days, once the Commissioner establishes failure to comply with any provision of this Act (Section 57). The Data Commissioner serves an enforcement notice on that person/institution to whom the complaint was made requiring steps be taken to remedy and or mitigate breach and or non - compliance. As provided under section 58 , an enforcement notice contains:-

  • Provision of DPA which has been, is being, or is likely to be, contravened;
  • Measures to be taken to remedy or eliminate the situation which makes it likely that a contravention will arise;
  • Implementation period of the enforcement notice not exceeding 21 days from the date of issuing; and
  • The right to appeal.

Failure to comply with the provisions of the DPA will attract a fine of Kenya Shillings Five Million or imprisonment of a term not exceeding two years [section 58(3)]

Enforcement Notice issued against Aga Khan University Hospital

On 5th October 2022, the Office of the Data Protection Commissioner (ODPC) issued an enforcement notice against Aga Khan Hospital. The enforcement notice was issued following the complaint made to the Data Commissioner by a patient who after visiting the hospital, a staff member inappropriately contacted the complainant contrary to Sections 25, 41, and 46 of the DPA. Section 25 provides for the data protection principles, section 41 provides for the implementation of technical and organisational measures in the implementation of data protection by design and default, and section 46 provides for handling personal data related to health.

In exercising the provisions of section 58 of the Data Protection Act, the Data Commissioner issued an enforcement notice directing the Hospital to outline specific measures it will take to mitigate or eliminate the breach/contravention and to rectify and/or put in place structures within 30 days.

Release on Enforcement Notice can be accessed here

Enforcement Notice issued against Ecological Industries Limited

A complaint was filed against Ecological Industries with the Data Commissioner, accusing Ecological Industries of unlawfully publishing personal photos on marketing materials i.e. the company’s catalog and calendar. Ecological Industries received notice from the complainant to remedy the breach on 25th January 2023 and a reminder was subsequently sent on 15th February 2023. Failure to remedy, prompted the complaint to the Data Commissioner which led to the issuance of the enforcement notice.

The release of the Enforcement Notice can be accessed here.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.