Mobile phone reseller Oppo Kenya is the first casualty of the recently enacted privacy laws after it was fined Sh5 million by the Office of the Data Protection Commissioner (ODPC), the maximum allowable penalty, for “infringement on the privacy of a complainant”.
In a penalty notice issued on Wednesday, Data Commissioner Immaculate Kassait said the company had defaulted on compliance with an enforcement notice issued against it on November 3.
“ODPC on November 3, 2022, issued an enforcement notice against Oppo Kenya (Company) after it infringed on the privacy of a complainant by using their photo on the company’s Instagram account (stories) without the complainant’s consent,” said the Data Commissioner in a statement.
“Oppo Kenya is, therefore, required to pay to the ODPC a penalty of Sh5 million pursuant to Section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement).”
The ODPC said Oppo had refused to cooperate by failing to develop a policy for compliance with Section 37 of the Act and also by failing to adduce a data protection policy pursuant to the enforcement notice issued.
The inferred section prohibits the use of personal data that has been obtained pursuant to the Act for commercial purposes without consent from the data subject or authorisation under any written law.
Oppo was also accused of failing to prove that it had developed an internal complaints mechanism to address data subjects’ complaints.
The privacy laws, which received a parliamentary nod in March of this year, require all data controllers and data processors to register with the ODPC.
The set of regulations includes the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
Companies that breach the rules face fines of not more than Sh5 million or up to one per cent of their annual turnover.
Data Commissioner Immaculate Kassait on Wednesday urged entities to comply with the laws by implementing data protection principles and safeguards to all processing activities that relate to the collection and storage of sensitive personal data.
“ODPC urges data controllers and data processors to ensure that the processing of personal data is in accordance with the Act. Failure to comply with the Act will result in instituting enforcement procedures,” said Kassait.