Lessons from data protection notices


Data Protection Commissioner, Immaculate Kassait. FILE PHOTO | JEFF ANGOTE | NMG

The Office of the Data Protection Commissioner (ODPC) issued an enforcement notice to Aga Khan University Hospital, no sooner had the dust settled than it had an early Christmas gift for Oppo Kenya in the form of a penalty notice.

In December, the ODPC said the notice was due to the default by Oppo Kenya to comply with an enforcement notice dated November 3, 2022.

This was followed by a decision pitting a top-tier law firm against two of its former employees with regard to data breaches. The ODPC is working.

Oppo Kenya was accused of violating the complainant’s privacy by posting a photo on the company’s Instagram account (stories) without permission.

The enforcement notice asked Oppo Kenya to submit and/or adopt a policy to comply with Section 37 of the Data Protection Act, which includes rules for the commercial use of personal data.

The notice also required Oppo Kenya to adduce a data protection policy and proof that it has developed an internal complaints mechanism to address data subjects' complaints.

Due to being uncooperative, Oppo Kenya was ordered to pay the ODPC a penalty of Sh5 million.

Businesses should be mindful that today's consumers are increasingly aware of their privacy rights and should work on complying with data protection laws.

Compliance will help them avoid trouble with the regulator and it is good for their reputation.

One place to begin is to ensure that they are registered with the ODPC as data controllers or processors. Compliance does not end at this stage.

Businesses should also have data protection policies to govern the usage, monitoring and management of personal data.

The purpose is to preserve and secure all personal data that the entity consumes, manages, and stores.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.