Mobile loans lender Whitepath and office space provider Regus Kenya have been slapped with Sh5 million penalty each for breaching customer data privacy.
The Office of the Data Protection Commissioner (ODPC) said it had received close to 150 complaints from Whitepath clients alleging that the digital lender was mining their phone contacts and sending them unsolicited messages contrary to data protection laws.
The regulator said Tuesday the firm had failed to comply with an earlier enforcement notice, resulting in the fine.
Regus has been punished for failing to respond to complaints alleging frequent spamming and inappropriate automated information despite attempts by the complainant to make the firm stop.
“Each company is required to pay the ODPC a penalty of Kenya shillings five million pursuant to section 63 of the Data Protection Act and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement),” the data commissioner said.
The inferred section prohibits the use of personal data that has been obtained pursuant to the Act for commercial purposes without consent from the data subject or authorisation under any written law.
The privacy laws, which received a parliamentary nod in March last year, require all data controllers and data processors to register with the ODPC.
The set of regulations includes the Data Protection (General) Regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
Companies that breach the rules face fines of not more than Sh5 million or up to one percent of their annual turnover.
The ODPC has also issued an enforcement notice to Ecological Industries Limited for non-cooperation with several notifications of a lodged complaint. In the suit, the firm is accused of publishing a personal photo on a company catalogue and calendar for marketing purposes.
The firm has been warned of a penalty notice if it fails to comply with the enforcement notice within the stipulated timelines.
Data Commissioner Immaculate Kassait has urged businesses to comply with the data protection laws to avoid penalties.
“Data protection is the responsibility of every data controller and processor and it must be the company’s top priority whenever they collect, process, or store personal information. I challenge businesses to protect personal data by design and by default to avoid penalties,” said Ms Kassait.
