Penalty Notices

Notices Detail

Notices

Penalty Notices

Under Section 62 of the Data Protection Act (DPA), A penalty notice is issued by the Data Commissioner where there has been established failure in complying with an enforcement notice issued as a result of failure to comply with the provisions of the DPA. Section 58 of the DPA prescribes that an enforcement notice is issued when the Data Commissioner establishes a person has failed, or is failing, to comply with any provision of the Act. The enforcement notice will require that steps be taken to remedy the non-compliance within a specified period of time. The enforcement notice also specifies, the provision of the Act which has been, is being, or is likely to be, contravened; measures that shall be taken to remedy or eliminate the situation which makes it likely that a contravention will arise; specify a period which shall not be less than twenty-one days within which those measures shall be implemented; and state any right of appeal.

A penalty notice arises when provisions of the enforcement notice are not complied with as provided under section 62 of the DPA. The person and or organisation issued with the penalty notice will be required to pay a specified amount as indicated in the notice. In issuing the penalty notice and determining the amount, the Data Commissioner will consider:-

  • Nature, gravity and duration of the failure;
  • Whether there was an intentional or negligent character in failure to comply with the notice;
  • Any actions taken by the data controller or processor to mitigate any damage or distress that may have been occasioned on the data subjects;
  • The degree of responsibility of the data controller or processor, taking into account technical and organisational measures;
  • Degree of cooperation with the data commissioner in order to remedy the situation;
  • Categories of personal data affected by the failure to comply;
  • The manner in which the infringement became known to the commissioner and the extent the data controller or processor notified the data commissioner of the failure;
  • Adherence to approved codes of conduct or certification mechanisms; and
  • Mitigating factors applicable to the case including financial benefits gained or losses avoided as a result of failure to comply with the enforcement notice whether directly or indirectly.

The maximum penalty that the Data Commissioner can issue for failure to comply under section 63 of the DPA is five million Kenyan shillings. Section 64 grants the right to appeal any administrative actions taken by the Data Commissioner, including enforcement notices and penalty notices.

The Case of Oppo Kenya

On 3rd November 2022, the Office of the Data Protection Commissioner (ODPC) issued an enforcement notice against Oppo Kenya after it infringed on the privacy of a complainant by using their photo on the Oppo’s Instagram account (stories) without the complainant’s consent. Since issuing of the enforcement notice, the ODPC noted that Oppo Kenya has failed to comply with the requirements in the enforcement notice by:-

  • Failing to develop a policy that complies with section 37 of the Data Protection Act on consent;
  • Failure to show a data protection policy; and
  • Failure to show proof of developed internal mechanisms to address complaints.

The penalty notice issued against Oppo Kenya required them to pay Kshs. 5,000,000.00 to the ODPC in accordance with section 63 of the DPA and in line with Regulations 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

The published notice can be accessed here.

The Case of Whitepath Company Limited

Whitepath Company Limited is a money lending online platform providing users with loans. The ODPC issued a penalty notice against the company on 11th April 2023 following its failure to comply with an enforcement notice issued earlier on 10th January 2023. Prior to issuing the enforcement notice against Whitepath, the ODPC had received up to 150 complaints from users of the platform stating that Whitepath had illegally accessed the mobile contacts of its users and was sending unwarranted and unsolicited messages to the contacts. Additionally, Whitepath employees had been harassing the contacts through phone calls and messages.

The illegal access of the contacts was in contravention of the data protection act more specifically section 30 on lawful processing of personal data. Whitepath unlawfully processed the personal data of data subjects who had no idea that their data was collected or processed further contravening section 29 on the duty to notify data subjects on the processing of personal data and a further contravention of section 37 on consent as the users of its platform did not consent to the processing of their personal contacts nor did the unlawfully contacted persons consent to the collection of their personal data.

The published notice can be accessed here.

The Case of Regus Kenya

The ODPC issued a penalty notice on 11th April 2023 to Regus, a company that provides working space solutions for other companies/businesses. The penalty notice was issued as a result of Regus’s failure to comply with an enforcement notice issued on 10th January 2023. Additionally, Regus failed to respond to a notification of complaint dated 27th October 2022 and a subsequent enforcement notice issued 16th February 2023. The complaint notices issued against Regus were that the company was based on frequent spamming of automated messages that were improper. The complainant had equally made the same known to the company however, the company failed to remedy the situation. It is unknown whether Regus complied with the Penalty notice.

Published release can be accessed here.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.